{ pkgs, ... }:

{
  services.nginx.virtualHosts = {
    "www.clerie.de" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        return = "301 https://clerie.de$request_uri";
      };
    };

    "clerie.de" = {
      enableACME = true;
      forceSSL = true;
      root = pkgs.fetchgit {
        url = "https://git.clerie.de/clerie/clerie.de.git";
        rev = "d3f220899ecb98e87026ee0a7600bb8898ae3c42";
        sha256 = "sha256-3o2/+m5OGSfc5RTrS4/j/aVibDasQISL7vY+J3yxbB8=";
      };
      locations."= /ssh/known_hosts" = {
        alias = pkgs.writeText "known_hosts" (import ../../lib/ssh-known-hosts.nix);
      };
      locations."~ ^/.well-known/openpgpkey/hu/[a-z0-9]+/?$" = {
        extraConfig = ''
          default_type application/octet-stream;
          add_header Access-Control-Allow-Origin * always;
          try_files /gpg/clerie@clerie.de =404;
        '';
      };
      locations."= /.well-known/openpgpkey/policy" = {
        extraConfig = ''
          default_type application/octet-stream;
          add_header Access-Control-Allow-Origin * always;
        '';
        return = "200 ''";
      };
      extraConfig = ''
        access_log /var/log/nginx/clerie.de.log combined_anon;
      '';
    };
  };
}